Google Bypassing User Privacy Settings

When the IE team heard that Google had bypassed user privacy settings on Safari, we asked ourselves a simple question: is Google circumventing the privacy preferences of Internet Explorer users too? We’ve discovered the answer is yes: Google is employing similar methods to get around the default privacy protections in IE and track IE users with cookies. Below we spell out in more detail what we’ve discovered, as well as recommendations to IE users on how to protect their privacy from Google with the use of IE9's Tracking Protection feature. We’ve also contacted Google and asked them to commit to honoring P3P privacy settings for users of all browsers.

We’ve found that Google bypasses the P3P Privacy Protection feature in IE. The result is similar to the recent reports of Google’s circumvention of privacy protections in Apple’s Safari Web browser, even though the actual bypass mechanism Google uses is different.

Internet Explorer 9 has an additional privacy feature called Tracking Protection which is not susceptible to this type of bypass. Microsoft recommends that customers who want to protect themselves from Google’s bypass of P3P Privacy Protection use Internet Explorer 9 and click here to add a Tracking Protection List. Customers can find additional lists and information on this page.

Background: Google Bypassing Apple’s Privacy Settings

A recent front page Wall Street Journal article described how Google “bypassed Apple browser settings for guarding privacy.” The editor and CEO of Business Insider, a business news and analysis site, summarized the situation:

Google secretly developed a way to circumvent default privacy settings established by a… competitor, Apple… [and] Google then used the workaround to drop ad-tracking cookies on the Safari users, which is exactly the sort of practice that Apple was trying to prevent.

Third-party cookies are a common mechanism used to track what people do online. Safari protects its users from being tracked this way by a default user setting that blocks third-party cookies. Here’s Business Insider’s summary:

What Safari does NOT allow, by default, is for third-party … cookies on users' computers without their permission. It is these ad-tracking cookies that cause lots of Internet users to freak out that their privacy is being violated, so it's understandable that Apple decided to block them by default.

But these default settings have created a problem for Google, at least with respect to its goals for its advertising business.

Google’s approach to third-party cookies seems to have the side effect of Safari believing they are first-party cookies.

What Happens in IE

By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user. Google’s P3P policy causes Internet Explorer to accept Google’s cookies even though the policy does not state Google’s intent.

P3P, an official recommendation of the W3C Web standards body, is a Web technology that all browsers and sites can support. Sites use P3P to describe how they intend to use cookies and user information. By supporting P3P, browsers can block or allow cookies to honor user privacy preferences with respect to the site’s stated intentions.

It’s worth noting that users cannot easily access P3P policies. Web sites send these policies directly to Web browsers using HTTP headers. The only people who see P3P descriptions are technically skilled and use special tools, like the Cookie inspector in the Fiddler tool. For example, here is the P3P Compact Policy (CP) statement from Microsoft.com:

Each token (e.g. ALL, IND) has a specific meaning for a P3P-compliant Web browser. For example, ‘SAMo’ indicates that ‘We [the site] share information with Legal entities following our practices,’ and ‘TAI’ indicates ‘Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization.’ The details of privacy are complex, and the P3P standard is complex as well. You can read more about P3P here.

Technically, Google utilizes a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google’s use of cookies and user information. Google’s P3P policy is actually a statement that it is not a P3P policy. It’s intended for humans to read even though P3P policies are designed for browsers to “read”:

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

P3P-compliant browsers interpret Google’s policy as indicating that the cookie will not be used for any tracking purpose or any purpose at all. By sending this text, Google bypasses the cookie protection and enables its third-party cookies to be allowed rather than blocked. The P3P specification (“4.2 Compact Policy Vocabulary”) calls for IE’s implemented behavior when handling unknown tokens: “If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present.”

3.2 Policies

In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements.

P3P is designed to support sites that convey their privacy intentions. Google’s use of P3P does not convey those intentions in a manner consistent with the technology.

Because of the issues noted above, and the ongoing development of new mechanisms to track users that do not involve cookies, our focus is on the new Tracking Protection technology.

Next Steps

After investigating what Google sends to IE, we confirmed what we describe above. We have made a Tracking Protection List available that IE9 users can add by clicking here as a protection in the event that Google continues this practice. Customers can find additional lists and information on this page.

The premise of Tracking Protection in IE9 is that tracking servers never have the opportunity to use cookies or any other mechanism to track the user if the user never sends anything to a tracking server. This logic underlies why Tracking Protection blocks network requests entirely. This new technology approach is currently undergoing the standardization process at the W3C.

This blog post has additional information about IE’s cookie controls, and shows how you can block all cookies from a given site (e.g. *.google.com) regardless of whether they are first- or third-party. This method of blocking cookies would not be subject to the methods Google used. We recommend that users not yet running IE9 take steps described in this post.

Given this real-world behavior, we are investigating what additional changes to make to our products. The P3P specification says that browsers should ignore unknown tokens. Privacy advocates involved in the original specification have recently suggested that IE ignore the specification and block cookies with unrecognized tokens. We are actively investigating that course of action.

I don't see how this is Google's fault. They ARE following the standard and IE is choosing to accept it by also following the standard. If the standard sucks, that's not Google's fault or your fault, it's the W3C's fault.

"in shaking your hand, we imply agreement with the code of conduct, but reserve the right to direct you to an external policy elsewhere that disavows any intent to agree to anything and continue as before,

Eric, if the standard says the P3P policy can't make false claims and the CP policy makes false claims, that's not following the standard. But the P3P standard is very trusting of the sites making the claims; that no longer seems adequate behaviour.

Except for the part where they are not. See this from the W3C (it was in the article above): "In cases where the P3P vocabulary is not precise enough to describe a Web site's practices, sites should use the vocabulary terms that most closely match their practices and provide further explanation in the CONSEQUENCE field and/or their human-readable policy. However, policies MUST NOT make false or misleading statements."

What that means is that Google WAS NOT following the standard when they put a human readable link as the CP value. They were in fact willfully contradicting the guidance.

To the IE team. Please create a plugin that is "restrict all Google invasive pages". We are sick. Then if you can make a plugin for Chrome, it would add a sense of irony like their "Privacy Matters" page. support.google.com/…/answer.py

@Phillip Malone: While you're obviously just here to troll, I'll still point out that Google is using this attack to track people who aren't "using Google." That's the whole point– they're tracking everyone, and willing to lie to accomplish that.

This leads to websites telling you that they can't let you in or give you information because you have cookies disabled when in fact you allow those websites to set cookies.

Until recently I have browsed such websites using Opera which didn't have this bug. Recently my main browser, Firefox, also fixed this issue. That had a great influence ony my surfing experience (a positive one).

Yup, Google fskced up here – thing is, they are not the only ones (this doesn't make it right though) and they fessed up to it, and discontinued it – at least, the Safari protection circumvent. That one seems different.

Bad Google, bad! Even if said P3P declaration contains a human-readable string and a link to an explanation page, it's still bad. But what about all these advertising networks that use the same system? Shouldn't reverting the behaviour from "allow unknown P3P policies" be switched from "true" to "false" by default, with a setting in the "cookies" tab in IE?

So, Google deserves the bashing. However, something more complete than "Google did bad" would be appreciated – especially considering that they do provide a link, and an explanation, in their trespassing! "See, I opened your door: I said to your janitor, 'I'm here to fix the smurf-a-tron' and, bewildered, he not only let me in, but also left me a key".

I wonder how MSN, Live, Passport, Hotmail, Microsoft and msdn track me – I should have a look at the P3P headers sent by these websites, just to be sure – I wonder who the joke will be on if I find something similar… But I'm not too worried, considering the msdn comment form loses track of me in less than 10 minutes, if there IS something akin to this exploit, it may just not work.

Amazing… Google gives you free awesome products in return on displaying ads that might help you and you get mad. (No, I don't work @ google). Microsoft on the other side, has 30+ years building crap and charging you monkeys for it. Sorry, from these two evils, I side with Google.

Other web commenters (example – Mary Jo Foley, ZDNet) are missing the point of Google's actions. Google didn't "hack" IE or exploit a security problem with IE. Google deliberately violated the spirit and the letter of the W3C standard for ethical use of tracking cookies and similar objects. IE was in compliance with the P3P policy for how to interact with sites that are offering 3rd party cookies.

The fault here is 100% with Google for twisting the public standard to suit their own needs. This is akin to a robber saying that it's not enough to lock your doors and windows, it's not enough that breaking and entering is against the law, you'd better put iron bars on everything, too, because if he can get in, it's your own fault and your property is his to take.

@Mitch74: You can easily see what P3P headers are sent using Fiddler. You can either use the COOKIES response inspector tab, or you can type COLS ADD @RESPONSE.P3P in the QuickExec box under the session list and a new column will appear in the Web Sessions list to show you what P3P declaration is present.

P3P is a joke. Technology, protocols and tech standards supported by a web browser should not have any influence on a decision for at web site to track or not track a user. Neither in IE nor in Safari. I don't think you can show that the average IE user is more concerned about tracking than the average user of another browser not supporting P3P. Therefore I see no problem in circumventing P3P. Decisions of when to track a user should be based on user intent (Like DNT:1 does, because it is off by default, and thus signals explicit user intent), based on the ethics and values of the web site owner, based on industry best practices, and based on law.

By that, I won't say that Google's tracking is OK, but P3P and IE's default privacy setting are not relevant in the discussion. This blog post seems to not be concerned about privacy. It seems like its only purpose is to generate negative press about your competitor.

So we'd prefer Google to claim they follow certain privacy policies in order to comply with P3P even though they don't follow those policies at all because they're close? Ya, I bet everyone would love that and no one would criticize Google for that at all. Face it, the standard doesn't work. It's a bad standard, IE decided to implement the standard and set it on by default and Google could either lie to the user by setting tokens that are somewhat correct (which might be illegal) or they could just say to heck with it and point out that they don't have a way to properly apply the standard to their policy.

Ultimately, P3P is less than useless and I'd be shocked if a single person on this list modified their P3P setting in IE. This is attacking a competitor for doing whatever they need to do to have their site display on MS's browser without lying to the user to do it.

Interesting, especially given Google's own statement on the matter with Safari last week:

"Users of Internet Explorer, Firefox and Chrome were not affected. Nor were users of any browser (including Safari) who have opted out of our interest-based advertising program using Google's Ads Preferences Manager." (Rachel Whetstone, Google SVP of Communications and Public Policy)

Even if technically true (different settings, for example), seems pretty slimy to state that…

@Eric: Funny, yahoo and msn and other major sites work properly. I think you're complaining that if Google wants their cookies to get stored, they'd *GASP* have to actually not violate the user's privacy to do it.

It's my understanding that this is an obsolete/failed specification designed by MS and only used in IE. The spec itself isn't very coherent and wasn't accepted as an industry wide standard and is thusly ignored by pretty much everyone. This does look like unfairly mudslinging a competitor, why complain about Google bypassing a dead technology that isn't supported by any major browser?

"From time-to-time, information about your usage of SmartScreen Filter will also be sent to Microsoft such as the time and total number of websites browsed since an address was sent to Microsoft for analysis. Some information about files that you download from the web such as name and file path may also be sent to Microsoft. Some website addresses that are sent to Microsoft may be stored along with additional information including web browser version, operating system version, SmartScreen Filter version, the browser language, and information about whether Compatibility View was enabled for the website. A unique identifier generated by Internet Explorer is also sent. The unique identifier is a randomly generated number that does not contain any personal information and is not used to identify you. This information, along with the information described above, is only used to analyze performance and improve the quality of our products and services."

And I ask: Which "Products and services" are you talking about? Bing Search, Bing Ads, Microsoft Adcenter? What exactly? You are possibly collecting every URL we browse to and every path and filename of every file we download through your Smartscreen Filter and you are channeling this information to which service?

Apparently the train I'm on just entered a parallel universe: I'm seeing a Microsoft employee complaining about Google 'embracing and extending' an internet protocol! 😉

Seriously though, what is Google doing wrong here? Clearly they're not providing a valid token, & the protocol states that the browser should behave as though no token was provided. I don't see how the subsequent tracking is Google's fault? It looks to me as though IE's default behaviour is at fault.

Two wrong don't make it right. On this, Google is wrong. If te current p3p doesn't support whats needed by Facebook and Google, they should work to get a new standard. Until that happens, Google and Facebook should respect users settings.

Maybe, just maybe, instead of complaining about competitors' products and services, Microsoft should try to improve theirs. I'd pick Google's products and services over Microsoft's any day, and it's your fault, dear Microsoft. Google beats your search engine, browser, email, mobile OS etc. You had luck with the OS at the right time, when there was no competition.

I don't hate you, dear Microsoft, but you just don't measure up. I would like to see a blog entry for 'What we s*ck at and what we need to do to improve'. I'd respect you more as a company then

This is very distressing. What the heck has happened to Google in the last few years? I used to associate them with innovative ideas and great services. Now I think of them more as an Internet predator just looking for places to exploit users. Serious Jeckyll and Hyde routine.

@IE has been Googled – that's the problem, there are no user settings that fit their privacy policy. They have no way of telling the user that. While the standard may allow you to provide tokens that are similar to your privacy policy, that is lying to the user straight out and would probably lead to a serious class action lawsuit and investigation by the FTC. They make no claims about their own privacy policy; they're not lying to the user. IE may interpret this as a valid P3P policy and make decisions based on that but that's up to Microsoft.

I think the blog post more or less admits to that. But then explain how that excuses Google for surreptitiously taking advantage of it to gather data the user has asked not be gathered? It's a scummy move, no matter how to try to explain it away. It puts Google on the same level as spyware creators. Would you actually defend virus- and malware-writers because, hey, they wouldn't be able to do it if the software was more secure? Would you argue that?

As required by the P3P standard, IE interprets that statement and applies the user's settings: "Block any cookies that are used for List-of-unsatisfactory-or-invasive purposes."

Since the Google P3P lies and claims that they're not using the cookie to track the user, the cookie is accepted by default.

@Jim: You say: "It's my understanding that this is an obsolete/failed specification designed by MS"

Rather than saying to everyone: "Based on my obviously inaccurate understanding", why not spend two minutes looking at the P3P specification. You can even use your favorite search engine. Hint: The P3P spec wasn't written by anyone from Microsoft.

Send each and every microsoft user a ticker and ask them not to trust google and start using bing instead otherwise microsoft would not take responsibility of any data theft or misuse of personal information.

Erik sez "that's the problem, there are no user settings that fit their privacy policy. They have no way of telling the user that"

Wrong. The token you're looking for is OTP and it means "Other purposes." It was designed exactly to convey that the cookie is being used for purposes beyond those that are defined in the P3P spec. (Notwithstanding the fact that google is lying by not listing the uses that ARE defined in the spec).

I am going go out on the limb of being slightly stupid, at least I will admit it, and ask if this meant that Google was able to circumvent " inprivate" browsing? Especially with what they have planned come March 1st, I have tried to wean, if not divorce, myself from all things Google.

What about facebook? What about the fact that the people this impacted opted in to having Google provide them with services by virtue of being logged in and having third party site services enabled. Furthermore, as you point out, Google doesn't provide an actual P3P policy, therefore they're not really circumventing anything, IE just fails to handle that case.

I've got to agree with the other Facebook comments, this is a blatant PR piece to get in a sideswipe at Google. I wholly agree Google/Facebook is doing wrong but the _near instant_ admonishment of Google by MS and total lack of mention of Facebook (a MS partner) smells of hypocrisy and two faced PR.

Yeaaaaah, this is why you do things like use noscript. The P3P policy is basically a gentleman's agreement that doesn't actually implement any actual security. Anyone can whip up a header like that which bypasses P3P policy and install any cookie they want.

So you're comparing an automatic anonymous feedback system to a personalised tracking system to serve ads?

No, IE's SmartScreen filter collects the search strings and form data that is attached to any URL it receives. This is not anonymous. My search terms, my downloaded files and the things I type on Web forms are not anonymous. They are highly personal data. The bad thing is not the Microsoft collects it as part of a security service but that it uses them to improve some other unidentified "Products and service", which may include Bing, Adcenter, etc. It might even be shared with Facebook, who knows.

Should we be talking about the first-party websites that host a Google's +1 button or Facebook's Like button?

If you think in terms of contracts (implicit or explicit), the primary privacy policy which is relevant when you visit Arstechnica (or any website) is Arstechnica's privacy policy. Google's privacy policy is secondary (you're not visiting a Google page). So the burden to ensure the right thing is done should be on Arstechnica.

If Arstechnica's privacy policy says "we don't share your data with other sites", while simultaneously putting a Google/Facebook widget which breaks that pledge, then Arstechnica is responsible.

I tried to test this too, but my windows machine is down thanks to a spyware / rootkit that I got thanks to Internet Explorer.

Hey MS, you've invaded way more people's privacy by your constant security holes that allowed millions of malware apps to highjack systems, send spam, and fool people into paying for fake antivirus software. I never got one piece of malware or any viruses from using a Google product.

It's hard to say whether P3P is just a horribly broken standard or whether just the bit about ignoring unknown tokens is the real issue. At a minimum, however, I think a P3P policy that contains no valid tokens should be interpreted by IE as if no privacy policy were specified at all.

People linking to the cmu report should try reading it. live.com and msn.com were, at worst, omitting a DEM (stating that they might use cookies for collecting demographic data) but otherwise had their P3P statement fine. A minor issue, but not nearly in the same league as the example from Google, which is just blatantly wrong.

Who is really surprised by this. Google is a Angel in their own minds when it comes to privacy. We all know Google has no interest in privacy and they believe if they can somehow justify that they are not collecting certain personal information that it is OK. Facebook is the same kind of enemy to privacy. Who puts up a social network for free and thinks they will not collect some private information. Google to me is not evil, they just think your information as long as its mixed up it in a random and non traceable way that its OK.

Did you read the page they linked? They pretty clearly explain what their intentions are, and why they did what they did, but it seems like you deliberately didn't address that; you're goal seems to be to make the situation look worse than it actually is.

Oh, so this whining is coming from the company who stole the spyglass source code to build IE, aka actual software theft and tried to destroy Netscape. How's it feel to be on the other side now Microsoft?

Oh and btw, as pointed out, it's quite amusing to see you complain about google when facebook has been doing this for months.

Due to the pervasive presence of Google components in nearly every web page, Google does not actually need cookies at all to effectively track users. Google Analytics, for example, can track users continuously across pages and sites that contain it. Google Analytics is installed on a large majority of web pages, and it is hard to find a web page that does not contain at least one component from Google.

How about instead you beef up the security. There's more than Google out there and honestly big brother is the worst is entire job is to imprison you. Your attitude about business over people is the main reason I don't go near IE.

Isn't it really misleading to make it sound as though IE really is secure and the other options are not, though? Hasn't it been pointed out that blockers based on lists are completely ineffective? And browser function/usability will never allow for complete privacy. This is a really one-sided post about it… I get that you want to push your own product, but misleading users into thinking they're somehow totally safe with IE9 is, well… misleading.

I just see a long, long row of actions by Google since Page's take-over last year that are meant to squeeze the last bit of information out of its users (who are not its customers, but its product sold to the advertisers) with the single goal of making the company more profitable: real-name policy, unified privacy policy, Motorola take-over, various spy actions etc etc. Now Google even wants to take control over our passwords, stored in the cloud and unknown to ourselves (http://bit.ly/yPfBTc)!

And Google won't leave out any shortcut, however immoral and illegal, to achieve its self-proclaimed goal of world domination. While this goal may have sounded cute and idealistic a couple of years ago when we still thought Google is out to better the lives of humanity, combined with its new "it's all about the profit" objective the company is only one thing: creepy and a danger to humanity! This is real world's SKYNET in the making. You read it here first, folks!

Don't you also lie in your User-Agent header? Every time I have ever seen P3P discussed it was about how to best wrangle this spec out of hell. Google be damned for that Safari thing but I don't think you have anything here. How many websites have a serious P3P header? As others have pointed out, Facebook does the exact same thing, though I'm not sure that makes it acceptable. P3P is terrible though.

While this might get buried, I wanted to direct you to the P3P standard: P3P Standards – Processing Compact P3P

Simply passing what Google does to the browser, according to the official W3C standard tells the browser to treat this as if no policy were passed, that is as if they had no policy. they fail at least one criteria – not having a full policy (edited from failing almost all six – thanks for the fact doublecheck sysop).

Therefore, I can conclude from this that this is not, strictly speaking, a Google problem. They are passing something invalid but the standard says invalid gets treated the same as if you didn't pass that header. IE should be rejecting it as if there was no policy.

If IE -is- accepting it, as they seem to indicate in their post, all this means is that IE has once again not followed a W3C standard (not at all surprising). And that is the UA's problem – not the standards and not the websites.

Well IE9 doesn't make it easier to see blocked cookies. It removed the cookie blocked icon which also doubled up as the button to see the web page's privacy policy on the status bar that IE8 had. PUT IT BACK IN IE10 IF YOU REALLY WANT TO COMPLAIN ABOUT P3P, COOKIES AND PRIVACY POLICY!!!

So there is only a single current privacy standard which has only limited protection and still sites like Google and Facebook are screwing with that standard to avoid providing even the minimal privacy that this standard currently provides.

I hope IE will become more strict and will block sites that abuse the p3p standard.

It might not be a very good standard but it will be a good attitude forward to place the control where is should be placed. At the hands of the users.

Google and Facebook are not just screwing with IE but effectivly screwing with the IE users that have set their privacy levels. They need to become aware that with any privacy standard, either now or in the future, that if you intentionally try to screw the users out of their privacy that you do not get ANY data.

This is just a case of Microsoft being incompetent and blaming the competition for their mistakes. I find this post to be nothing but a defamatory post in shameless self-promotion of Microsoft's anti-tracking cookie technology – put in place to address the security shortcomings of their own browser product.

Did any of the IE team actually read the P3P specifications?. Googles Compact Policy, while it does not adhere to the required machine readable vocabulary, does not make any false or misleading statements whatsoever. There is no valid CP vocabulary in this string at all and therefore should be treated as such, invalid or non-existant.

I would like to also quote from the document under the same section:

"3.2.2 The POLICY element

The POLICY element contains a complete P3P policy. Each P3P policy MUST contain exactly one POLICY element. The policy element MUST contain an ENTITY element that identifies the legal entity making the representation of the privacy practices contained in the policy. In addition, the policy element MUST contain an ACCESS element and one or more STATEMENT elements.It SHOULD contain a DISPUTES-GROUP element. It may contain a P3P data schema and one or more extensions."

As there are no valid ACCESS or STATEMENT (That would be COMPACT-ACCESS, and COMPACT STATEMENT) elements in valid Compact Policy vocabulary as required above, I back up my argument that it is Internet Explorer itself that does not correctly conform to the aforementioned standards.

I've got to say that any security specification which allows the site to tell the browser how much security to allow it based on basically promising not to do bad things is itself bad, and a security hazard.

P3P user agents MUST NOT rely on P3P compact policies that do not comply with the P3P 1.0 or P3P 1.1 specifications or are obviously erroneous. Such compact policies SHOULD be deemed invalid and the corresponding cookies should be treated as if they had no compact policies. The following guidelines are designed to reduce the chance that a P3P user agent will accept an invalid compact policy.

While logged into my Google account, I browsed a website that I am 100% certain I've never before visited; FIAT (.com). In less than 20 minutes of visiting that automotive website, an email advertisement arrived from FIAT in my Gmail inbox. The disclaimer at the bottom of the email stated that I am in receipt of the email due to a relationship with "one our of media partners". Google is giving away / providing your email address to websites that you're visiting, while logged into Google! They're doing the same thing that AOL did, back in the day. This is truly a breach of MY privacy, despite what fine print Google certainly offers to support their contrary beliefs.

Amazing how trolls are unable to see things as they are without distorting the reality in any possible way that blames Microsoft at the end. Scares me that some of these trolls might actually be technology advisors telling companies that whatever Google is doing here is fine and that they should blame IE for it. Crazy people, you need (psychological) help, seriously.

@Martin Robins — This has been tested in IE9 and Windows 8 Developer Preview — if you're still having issues, feel free to email me @ andyzei at microsoft com and I'd be happy to help you debug. Thanks!

Unless someone at Microsoft (product team or otherwise) can refute the picture this article fairly conclusively paints, we're forced to conclude that the failure of IE 9 to block the kind of "attack" Google waged here is an unintended but not unsurprising consequence of a poor business decision.

1) Does Chrome implement P3P? (It seems that IE, Firefox (with a glitch in version 2), Safari and Opera do.)

2) The degree of user control seems thin. The IE interface gives a number of presets and an advanced mode. (I've looked at 8 and 9.) The advanced mode seems to miss out on things (like settings that involve a P3P policy). Is there a facility to code up a detailed explicit user policy. Something that enables those who care to define what is and isn't acceptable in more detail. It could look almost like a compact P3P policy, each option listed with a + for accept and a – for reject. The details could be saved as a file to be imported into any browser. (The flavour would be 'P3P: CP=" +CONo -CUR +CUSo -IVAo +IVDo …"', where each option for each factor of interest is listed. Users can choose to select "cookie only" settings, but are not limited to that!) Anyone here know if that's possible or contemplated?

– Chrome, as well as Safari, don't implement P3P at all. At least, I found nothing on either Chrome's, Safari's or Webkit's documentation indicating they implement it. Considering Google used a different exploit to circumvent thrid party cookie protection in Safari, I don't think Safari at least supports P3P.

– Firefox started implementing P3P in version 2 (it was buggy in it) and has, since then, completed the implementation – and disabled it by default. Enabling it is used in specific cases, like problems in accessing some older Microsoft web-based tools. You also have to modify the values of 2 different keys in "about:config" to do so, as there are no GUI elements to enable it. There's one to disable them, though: changing 3rd-party cookie policy.

Question 2: your proposal has probably already been considered; the problem here is how P3P in general and IE in particular treat a malformed/unknown P3P header, and not the way it deals with known instructions: if it can't understand it, it simply allows it. It's akin to giving the keys to a flat to a guy showing up and saying "I need to deliver the smurglf to the flart at this address".

And the latter is the, in hindsight completely stupid decision to consider developer's goodwill the basics of security – remember that P3P was created by Microsoft in 2002, at a time when they didn't give a damn about browser safety, and IE6 was considered the be-all, end-all and state-of-the-art browser ever.

@Mitch 74: Let's be very clear here– P3P isn't a security feature. There's no real reason for the client to try to be robust against malicious input, because there's no *technical* reason a site cannot simply flat-out lie about their privacy practices in the P3P statement. The enforcement mechanism for P3P was never meant to be technical, a fact well-understood to both the authors and the implementors of the spec.

Look, the GooKids grew up in a generation where Mom and Dad gave them computers young instead of TVs and didn't teach them the morals of how to use it, slapping their butts "Thou shall steal from people.," "This is not yours. Give it back.." Mark Z, 20 years ago as my lawyer jokingly reminded how proud he did it a few times, had it work for McDonald's flipping burgers for all contract violations he did and for breaking many laws. Times have changed, the kids user don't even know what all the fuss is about, "You mean they weren't suppose to do that in the place? Why? We already shared our toys in Kindergarden!"

Anyway, I think IE's Options window really does need a major overhaul…it has not really changed in the last decade! (maybe something Metro-like?). Besides the eye-candy, some features are also currently missing; for example, there is no simple way to view the cookies currently stored (and possibly choose which one to delete, on a one by one basis). The only way is to use Windows Explorer to open the hidden/system folder where they are stored or use some third-party app (like CCleaner). Every other browser has this pretty basic feature already built-in their UI.

Instead of complaining and crying that Google is bypassing your software.. FIX IT! If you have the ability in your browser to block cookies than it should block cookies. There shouldn't be a workaround. It's your fauly Google was so inventive to find out you left holes in the security of your crappy browser anyways. The same goes for Safari. Stop complaining and fix the problem.

@EricLaw: true, my mistake, P3P is originally a proposition by IBM and the MIT, first implemented by Netscape and IBM independently around 1997/1998, and elevated to W3C Candidate Recommendation in 2002, when Microsoft first implemented it (IE6sp1, I guess). Version 1.1 merely reached the Note status in 2007, when Mozilla decided to drop it altogether (after noting in 2004 how its default settings were insecure), Webkit never even considered it and Opera toyed with the idea – but no more than that.

As such, no further work was done on it after 2007, due to complete lack of interest and a bunch of outstanding, and unaddressed, concerns dating back to 1998.

I would guess that the only thing to do would be to either disable it by default or drop it from IE – and work on a better solution. That would fix Google's abuse, and everybody would be happy.

But, wait – Facebook, live.com and Yahoo wouldn't work anymore! But, as they are MS partners (or MS subsidiaries), they should be able to fix that.

Is this a joke? You're complaining that Google (and by the way Facebook as well) isn't respecting a broken protocol that only Internet Explorer (the biggest joke of a browser in history) implements?

Microsoft just sinks to new lows every single day. All they do now is try to bash the competition because they have surpassed Microsoft so much that it's all Microsoft can do. Bing is a piece of crap too. It's search results are only good for the most trivial of searches.

1) "By default, IE blocks third-party cookies unless the site presents a P3P Compact Policy Statement indicating how the site will use the cookie and that the site’s use does not include tracking the user"

2) "If an unrecognized token appears in a compact policy, the compact policy has the same semantics as if that token was not present." (Thus according to 1, the cookie should be blocked)

Google is not presenting any p3p policy (token) and IE9 should block them. I don't understand why this is google's fault !!! can anyone explain please?

So ppl an opportunity to get over on someone or some company they take it/ Rather greed for money, or their own malicious behavior like sneaking around with a girl who is involved with two men and sneaking with the third. The "ssneaker" is involved himself. so devising a plan to basically ROB google,or any other company that has breeched comtracts or made simple human mistakes as these sme individuals r doing is straight black of integrity, soulless, down right shifty that doesn't contribute to the basic common goal of this world by helping one another to build a bigger, better world, not only for us but our children, and grandchildren. why not write to, go visit, email, etc. all the above to help the companies achieve greatness for us all united. instead plotting planning how t0 take down and acquire all that's "gpold and precious" to hide gon off hurting others and not b accountable to your own actions, to live so u think happily ever after… Again I stress so u think… cause if u have rotten intentions life for u two will be just thast rotten.